New York Officials Investigating Apple's FaceTime Eavesdropping Bug

New York Attorney General Letitia James and Governor Andrew Cuomo are investigating the FaceTime eavesdropping bug on iOS devices that allowed a person to FaceTime another person and hear conversations and see videos even when the call was not answered.

According to Bloomberg, the New York officials will be focusing on Apple's failure to warn consumers about the bug and its slow response.

​

How the FaceTime eavesdropping bug worked​

The FaceTime eavesdropping bug was widely publicized on Monday, and several hours after information on how to execute the exploit spread, Apple disabled the Group FaceTime servers.

Quote

"This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years," James said in the statement on Wednesday.

"We need a full accounting of the facts to confirm businesses are abiding by New York consumer protection laws and to help make sure this type of privacy breach does not happen again," Cuomo said in the statement.

Click to expand...

Apple is planning to release a software fix that will solve the bug and will allow the company to bring Group FaceTime back online. That update is expected sometime this week.

While the glitch was not widely known until Monday afternoon, Apple was informed about the bug more than a week prior. The person who contacted Apple said that Apple did not respond to multiple attempts to notify the company about the issue.

It's not entirely clear if Apple knew about the bug and was working on a fix internally at the time that it became widespread, but if so, Apple certainly left it functional and did not move to disable Group FaceTime until forced to do so. For that reason, it's not known how long the bug has been present in iOS and how long people may have been quietly exploiting it.

In addition to the inquiry from New York officials, Apple is also facing a lawsuit over the issue. Yesterday, an attorney said the FaceTime bug allowed an unknown person to listen in on sworn testimony during a client deposition.

Looking over the description of how the discoverer reported the bug to Apple, it's not quite perfect. But there's no chance I'd blame the reporter. Apple could have and should have responded better to them, because asking an end user to file a bug report in Radar is not reasonable.

Yes, Radar is how Apple communicates with itself. But in this case the person on the other end of product-security@apple.com could have literally opened bug reporter himself, typed "some guy is reporting we have a security problem" as the summary and gone from there, pasting emails in as they arrived. Apple would be better off than they are now.

It’s a really bad bug, but boy — with all these recent articles about Google and Facebook, something just seems a little off.

All these in-depth investigations and lawsuits related to security/privacy bugs seem to target Apple, yet flagrant and deliberate privacy violations seem to almost go unchecked or dismissed.

Regardless, it’s not the first time this has happened where media attention seems to “resolve” an Apple bug faster than a bug report does (Calculator iOS app being a prime example). Hopefully this will finally kick Apple into gear with rethinking how they address bugs logged and keep communication between their teams.

I have a lot of criticisms of Apple, but their response to the Group FaceTime bug is not one of them. I don't know what the Governor's office is looking to gain from this... but they're looking to gain something. Government officials generally don't get off their asses unless there is something in it for them.

I think this thing is completely overblown. You have to set up a GROUP FaceTime call then PURPOSELY add your own number. And this only lasts as long as it takes for the other party to pick up the call or for the call to go to voicemail. This is TOTALLY overblown.

This is so..weird. I don't even see this as "Apple" anymore. No innovation with the balls to jack products to asinine prices while their competitors are innovating their a**** off, more focus on campuses and weird services like streaming/original content over hardware, and most importantly, they knew about a flaw in security (no matter what scope), and despite the various advertisments/assurances about how seriously they take security..they willingly pushed it to the side? That was like..the one thing I was confident that they would never screw around with.

I think this thing is completely overblown. You have to set up a GROUP FaceTime call then PURPOSELY add your own number. And this only lasts as long as it takes for the other party to pick up the call or for the call to go to voicemail. This is TOTALLY overblown.

Click to expand...

Did you miss the part about the receiving party silencing the call starting the video feed too?

They first officially heard about it Monday and killed it off Monday. People act like Apple sat on this for months or something.
Just cause you tweet Apple that you found a bug it does not get seen by the right folks. Can you imagine how many tweets Apple gets in one hour, not to mention a whole day?

This is so..weird. I don't even see this as "Apple" anymore. No innovation with the balls to jack products to asinine prices while their competitors are innovating their a**** off, more focus on campuses and weird services like streaming/original content over hardware, and most importantly, they knew about a flaw in security (no matter what scope), and despite the various advertisments/assurances about how seriously they take security..they willingly pushed it to the side? That was like..the one thing I was confident that they would never screw around with.

Click to expand...

So, with hundreds of thousands of beta testers unable to find this bug after 5 betas Apple is to blame for not testing it enough? I guess you prefer Google who purposely hacked Safari to track people who selected do not track. Their intimate access came from being a partner and exploiting it.

It’s a really bad bug, but boy — with all these recent articles about Google and Facebook, something just seems a little off.

All these in-depth investigations and lawsuits related to security/privacy bugs seem to target Apple, yet flagrant and deliberate privacy violations seem to almost go unchecked or dismissed.

Regardless, it’s not the first time this has happened where media attention seems to “resolve” an Apple bug faster than a bug report does (Calculator iOS app being a prime example). Hopefully this will finally kick Apple into gear with rethinking how they address bugs logged and keep communication between their teams.

Click to expand...

Well things certainly just got interesting around here.. I think that’s the quote from Wreck It Ralph? That’s in relation to this article..

With reference to Google and especially Facebook, what’s new? The media will go back to Facebook, maybe Google soon enough. In fact more pressure and media attention here in the UK is being brought into the social media giants and their rather complete lack of any social responsibility what so ever... it will not end well for them or the people’s liberties, but that’s the road it’s going down.
So they are in the news, but for more important things that are costing lives.

So, with hundreds of thousands of beta testers unable to find this bug after 5 betas Apple is to blame for not testing it enough? I guess you prefer Google who purposely hacked Safari to track people who selected do not track. Their intimate access came from being a partner and exploiting it.

Click to expand...

I didn't say I prefer any company over the other here - which is why I said I held Apple to a standard of this not being anything close to something like them. It doesn't matter if 15 million testers were unable to find the bug. Apple knew of the problem a week prior to the public freakout. Not faulting it being a mistake - but their response. Like I said, no matter the scope, they assured this type of thing would not happen.

Look at Google and Facebook. They have no shame in collecting your data, with or without your knowledge. The difference is, Apple didn't do this on purpose. I still think someone should be fired at Apple for this, but it's not company policy to record what you do as it is with Android.

Basically, Apple is the best we have for privacy and security...and it isn't close, mistakes and all.

MacRumors attracts a broad audience
of both consumers and professionals interested in
the latest technologies and products. We also boast an active community focused on
purchasing decisions and technical aspects of the iPhone, iPod, iPad, and Mac platforms.